Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




5 posts

Wannabe Geek


# 140871 23-Feb-2014 11:02
Send private message

Hi guys

I'm running  JUNOS 12.1X44-D30.4 and am connected to Voyager internet via "enable fibre" and tagged as vlan 10, my connection speed I choose for UFB is 100/50 and am after some advise on the following issue.

When performing a speed test at either speedtest.net or speedtest.telecom.co.nz I seem to have limited inbound traffic which wont go past around 25 - 30 mbit however upload speed is completely fine topping out at 50mbit as expected.

Here is the interesting thing , I also have a ZyXel VMG8324-B10A router that I have been using for a few tests,

Test 1.
If I remove the SRX110 and replace it with the ZyXel my speeds shoot up to 95mbit / 50Mbit first and every time. (Using the same ONT , cables etc)

Test 2.
With both routers combined ie ZyXel to "Bridge mode and vlan 10" then use the SRX110 to do PPPoE only with tagging removed from SRX then the SRX110 will also output 95mbit / 50Mbit

Test 3.
Testing the SRX110 on Chorus UFB with exact same config and still connecting to Voyager this works perfectly too no speed issues.

So from my tests above it seems that the SRX is performing poorly only on inbound traffic and only through "enable fibre" and only when the SRX is doing the vlan tagging.

Has anybody else had this issue on an SRX110 on the "enable network" ?

Any feedback appreciated...



My sanitized config is below

root@larry> show configuration
## Last commit: 2014-02-22 22:21:21 NZDT by root
version 12.1X44-D30.4;
system {
    host-name larry;
    domain-name local;
    time-zone Pacific/Auckland;
    root-authentication {
        encrypted-password "$XXXXXXXXXXXXXXY."; ## SECRET-DATA
    }
    name-server {
        210.55.31.111;
        114.23.1.1;
        114.23.2.2;
    }
    services {
        ssh;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            pool 192.168.0.0/24 {
                address-range low 192.168.0.128 high 192.168.0.200;
                name-server {
                    210.55.31.111;
                }
                router {
                    192.168.0.1;
                }
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands info;
        }
    }
    max-configurations-on-flash 49;
    max-configuration-rollbacks 49;
    archival {
        configuration {
            transfer-on-commit;
            archive-sites {
                "ftp://XXXXXXXXXX:/juniper-backups" password "XXXXXXXXXXXXXXXX"; ## SECRET-DATA
            }
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }                              
    }                                  
    ntp {                              
        server 114.23.1.1;             
        server 114.23.2.2;             
    }                                  
}                                      
interfaces {                           
    interface-range default-vlan-members {
        member-range fe-0/0/1 to fe-0/0/7;
        description "### LAN Interfaces ###";
        unit 0 {                       
            family ethernet-switching {
                port-mode access;      
                vlan {                 
                    members vlan-trust;
                }                      
            }                          
        }                              
    }                                  
    fe-0/0/0 {                         
        vlan-tagging;                  
        unit 0 {                       
            description "### WAN Interface ###";
            encapsulation ppp-over-ether;
            vlan-id 10;                
        }                              
    }                                  
    pp0 {                              
        no-per-unit-scheduler;         
        unit 0 {                       
            ppp-options {              
                chap {                 
                    default-chap-secret "XXXXXXXXXXXXXX"; ## SECRET-DATA
                    local-name "XXXXXXXX@ufb.vygr.net";
                    passive;           
                }                      
            }                          
            pppoe-options {            
                underlying-interface fe-0/0/0.0;
                auto-reconnect 20;     
                client;                
            }                          
            family inet {              
                mtu 1492;              
                filter {               
                    input internet-inbound;
                }                      
                negotiate-address;     
            }                          
        }                              
    }                                  
    vlan {                             
        unit 0 {                       
            family inet {              
                address 192.168.0.1/24;
            }                          
        }                              
    }                                  
}                                      
routing-options {                      
    static {                           
        route 0.0.0.0/0 next-hop pp0.0;
    }                                  
}                                      
protocols {                            
    rstp;                              
}                                      
policy-options {                       
    prefix-list voyager-management {   
        114.23.64.130/32;              
        210.55.30.56/32;               
    }                                  
}                                      
security {                             
    flow {                             
        tcp-mss {                      
            all-tcp {                  
                mss 1452;              
            }                          
        }                              
    }                                  
    screen {                           
        ids-option untrust-screen {    
            icmp {                     
                ping-death;            
            }                          
            ip {                       
                source-route-option;   
                tear-drop;             
            }                          
            tcp {                      
                syn-flood {            
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;        
                }                      
                land;                  
            }                          
        }                              
    }                                  
    nat {                              
        source {                       
            rule-set trust-to-untrust {
                from zone trust;       
                to zone untrust;       
                rule source-nat-rule { 
                    match {            
                        source-address 0.0.0.0/0;
                    }                  
                    then {             
                        source-nat {   
                            interface; 
                        }              
                    }                  
                }                      
            }                          
        }                              
        destination {                  
            pool homepc {              
                address 192.168.0.69/32;
            }                          
            rule-set nat-translations {
                from zone untrust;     
                rule homepc-3389-tcp { 
                    match {            
                        destination-address 0.0.0.0/0;
                        destination-port 3389;
                    }                  
                    then {             
                        destination-nat pool homepc;
                    }                  
                }                      
            }                          
        }                              
    }                                  
    policies {                         
        from-zone trust to-zone untrust {
            policy xbox-block-internet {
                match {                
                    source-address xbox;
                    destination-address any;
                    application any;   
                }                      
                then {                 
                    deny;              
                }                      
            }                          
            policy trust-to-untrust {  
                match {                
                    source-address any;
                    destination-address any;
                    application any;   
                }                      
                then {                 
                    permit;            
                }                      
            }                          
        }                              
        from-zone trust to-zone trust {
            policy trust-to-trust {    
                match {                
                    source-address any;
                    destination-address any;
                    application any;   
                }                      
                then {                 
                    permit;            
                }                      
            }                          
        }                              
        from-zone untrust to-zone trust {
            policy homepc-nat {        
                match {                
                    source-address VoyagerLan;
                    destination-address homepc;
                    application vygr-3389-tcp;
                }                      
                then {                 
                    permit;            
                }                      
            }                          
        }                              
    }                                  
    zones {                            
        security-zone trust {          
            address-book {             
                address homepc 192.168.0.69/32;
                address xbox 192.168.0.160/32;
            }                          
            host-inbound-traffic {     
                system-services {      
                    all;               
                }                      
                protocols {            
                    all;               
                }                      
            }                          
            interfaces {               
                vlan.0;                
            }                          
        }                              
        security-zone untrust {        
            address-book {             
                address priLan XXX.XXX.XXX.XXX/32;
            }                          
            screen untrust-screen;     
            host-inbound-traffic {     
                system-services {      
                    ping;              
                    ssh;               
                }                      
            }                          
            interfaces {               
                fe-0/0/0.0;            
                pp0.0;                 
            }                          
        }                              
    }                                  
}                                      
firewall {                             
    filter internet-inbound {          
        term management-ssh-only {     
            from {                     
                source-prefix-list {   
                    voyager-management;
                }                      
                protocol tcp;          
                destination-port ssh;  
            }                          
            then accept;               
        }                              
        term deny-ssh {                
            from {                     
                protocol tcp;          
                destination-port ssh;  
            }                          
            then {                     
                reject;                
            }                          
        }                              
        term allow-all {               
            then accept;               
        }                              
    }                                  
}                                      
applications {                         
    application vygr-3389-tcp {        
        protocol tcp;                  
        destination-port 3389;         
    }                                  
}                                      
vlans {                                
    vlan-trust {                       
        vlan-id 3;                     
        l3-interface vlan.0;           
    }                                  
}     

Create new topic
1990 posts

Uber Geek

Trusted

  # 992738 23-Feb-2014 12:38
Send private message

It does look like an issue with the Juniper but have you gone through this thread? http://www.geekzone.co.nz/forums.asp?forumid=135&topicid=136800

Do you still get cumulative 50Mbps if you do concurrent speedtests on 2 or 3 computers? It might just be related to latency or something with TCP receive window on the PC.




Qualified in business, certified in fibre, stuck in copper, have to keep going  ^_^



5 posts

Wannabe Geek


  # 992753 23-Feb-2014 13:08
Send private message

Thanks for the post but I don't believe it will help me. I understand about "TCP receive window" and have considered that. This issue also exists on Mac and Linux which don't have TCP scaling the way Windows does, but that isn't the issue anyway as the same PC works fine through the Juniper if Bridged with ZyXel so it really comes down to some weird tagging issue.
BTW I have tried multiple SRX110 too an H and and H2 series and they are all the same plus I have tried it on 3 different "enable networks" circuits so it is definitely something between enable and SRX and something to do with the way the SRX is doing the tagging I suspect.


 
 
 
 


2385 posts

Uber Geek

Trusted

  # 992790 23-Feb-2014 14:14
Send private message

Check http://www.geekzone.co.nz/forums.asp?forumid=66&topicid=109388&page_no=2

Regarding the 802.1p marking/Version of Software/and the MTU you have set on various interfaces.


dwl

363 posts

Ultimate Geek


  # 992815 23-Feb-2014 14:52
Send private message

skewkus:
...snip...
Any feedback appreciated...

You seem to have done a good job trying to isolate so I can't add much.

One thought is whether the speed negotiated with the ONT differs with the SRX or whether the ZyXel is providing some smoothing of the traffic .  It is possible that with 1 Gbps negotiated with the SRX directly connected that there are brief bursts (at 1 Gbps line rate) from the Enable network that are occasionally exceeding the SRX processing capability with VLANs enabled and TCP will hate that.  If you can limit autonegotiation to 100M you might get different results. 

Certainly an interesting issue ....

Edit:  It seems the SRX110 might be limited to 100baseT (I should have checked) so my suggestion above isn't quite right - it could be that the ONT doesn't like 100M - my question is now what the ZyXel is doing - 1G?



5 posts

Wannabe Geek


  # 993053 23-Feb-2014 22:39
Send private message

The ZyXel is 1gbit wan and yes it could be a weird compatibility issue between Ont and SRX 100mbit I did think of that but I find it difficult to understand why if that was the case how I still get 50mbit upstream.
I'm still thinking it is a tagging issue at this point but I am particularly interested in hearing from anyone who is through Enable (doesn't matter which ISP) who uses an SRX110 (or any Juniper for that matter)

 

We spoke to a guy from enable very briefly and he mentioned that there may be a weird issue with the way SRX tags it's outbound packets but haven't had a chance to have a good conversation with them yet.

When I do find out what it is I will post here too so others can know but in the meantime if anyone has an SRX and in Chch or anywhere else using enable please let me know.



5 posts

Wannabe Geek


  # 994335 25-Feb-2014 18:44
Send private message

Further to my issue

I found the following thread.

http://www.geekzone.co.nz/forums.asp?forumid=82&topicid=115751&page_no=3

It is from a guy who practically had the exact same issue as me a while back, he reports that the only way he could get full speed was to have something with a 1gbit port in between his 100mb router and the ONT being either a 1gbit switch or router in bridge and after months of troubleshooting it appeared to be a shaping issue with Orcons BNG, I am now working with the main Voyager engineer and will run some tests on the Voyager BNG and see if that could be the issue, either way I think I have narrowed down what the problem is now, and even if I have to place a small gbit switch between my Ont and Srx it is no big deal, it's just annoying as we can't exactly tell our customers to do that :) we need to fix the actual cause as Srx is our standard enterprise router. Anyhow really appreciate your interest and feedback with this topic and will keep you posted if your interested once I have a complete resolution but that may be a while :)

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Bitcoin.com announces partnership with smartphone manufacturer HTC
Posted 16-Sep-2019 21:30


Finalists Announced for Microsoft NZ Partner Awards
Posted 16-Sep-2019 19:37


OPPO Showcases New CameraX Capabilities at Google Developer Days China 2019
Posted 15-Sep-2019 12:42


New Zealand PC Market returns to growth
Posted 15-Sep-2019 12:24


Home sensor charity director speaks about the preventable death which drives her to push for healthy homes
Posted 11-Sep-2019 08:46


Te ao Maori Minecraft world set to inspire Kiwi students
Posted 11-Sep-2019 08:43


Research reveals The Power of Games in New Zealand
Posted 11-Sep-2019 08:40


Ring Door View Cam now available in New Zealand
Posted 11-Sep-2019 08:38


Vodafone NZ to create X Squad
Posted 10-Sep-2019 10:25


Huawei nova 5T to be available 20th September
Posted 5-Sep-2019 11:55


Kogan.com launches prepay challenger brand Kogan Mobile in New Zealand
Posted 3-Sep-2019 11:42


Pagan Online available now
Posted 27-Aug-2019 20:22


Starship hopes new app will help combat antibiotic resistance challenges
Posted 27-Aug-2019 19:43


Intel expands 10th Gen Intel Core Mobile processor family
Posted 23-Aug-2019 10:22


Digital innovation drives new investment provider
Posted 23-Aug-2019 08:29



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.